USE CASE

Avoid Costly Inter-Cloud Routing Mistakes with an Intent Check

Fix inter-cloud routing mistakes across all your cloud instances — including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure — quickly and easily, while maintaining application availability
Engineers and accountants share a common trait — they don’t like surprises, especially when they come in the form of cloud bills that are much higher than anticipated. Because cloud computing is billed on consumption, similar to electricity, some fluctuations are normal and unavoidable. However, a simple intercloud routing error can easily deliver a six-figure surprise. Without proactive checks, IT teams are completely unaware of the issue until the bill arrives. 
 
A Google search for “unexpected AWS charges” returns hundreds of thousands of results. Bear in mind, that’s only the people who took to the web to vent or ask for help — meaning the problem is likely much more widespread. 
 
In addition to economic consequences, inefficient traffic routing to and from your various cloud instances and other services can also lead to bandwidth and latency issues that undermine network and app performance. While your users won’t likely know the network paths that they take regularly to access critical apps is costing your business more than it should, they’ll definitely know if their experience reaching and using those resources is suboptimal.
 
So, how can you identify and fix inter-cloud routing mistakes across all your cloud instances — including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure — quickly and easily, while maintaining application availability? By using the intent check feature in the Forward Enterprise platform from Forward Networks. 
Confirming What Works While Finding a More Efficient Approach
Forward Enterprise lets you visualize your entire cloud estate alongside your on-premises environment in a single normalized view. The intent check feature in the platform helps you confirm that the traffic to, from, and between your cloud environments is taking the desired path. If there’s a routing change that violates policy, the appropriate team is immediately alerted so they can fix it before the problem grows. 
 
For example, say that a user in your GCP production instance wants to access the internet, and your security policy is set so that they have permission to access the internet directly from GCP. However, with the path visualization in the Forward Enterprise dashboard, you can see that the path the user currently takes to the internet isn’t direct. 
 
Instead of going from GCP and through the Google NAT gateway to reach the internet — the most efficient path — the user is traversing through a virtual private network (VPN) that then takes them through a managed NAT gateway in AWS. The result: the user gets to the internet, but the organization is triple-charged for the multiple connections — paying for an egress charge from GCP and for the managed NAT and internet gateways in AWS.
 
With the intent check feature in Forward Enterprise, you can confirm that the path the user is currently taking to the internet works — even if it’s costly and creates latency. Intent check can also automatically check that the path is there every time Forward Enterprise takes a new snapshot of your network. In this manner, intent checks provide engineering teams with automatic validation that the posture they require is in place. 

Global View of Path Trace — users can drill down to  a single device detail view
Next, you can use an intent check to learn if the more efficient pathway (GCP → Google NAT gateway → internet) is available and working. The intent check determines that it’s not, categorizing the connection on the list of available paths from GCP to the internet as “failed.” You can then route a ticket to the network teams in AWS and GCP to investigate and resolve the connectivity issue, which is likely due to a misconfiguration. 

Intent checks can be used to prevent multi-cloud routing mistakes
Powerful Insights from Read-Only Data
Forward Enterprise needs only a basic set of API connectivity to access the data required to show all possible traffic paths into your cloud environments. All permissions we use to collect data are read-only.
 
We collect config and state data from all your on-premises devices, such as routers, switches, load balancers, and firewalls. And we use publicly available APIs to gather similar read-only information for your various cloud accounts, including those with major providers, to create a digital network twin. 
 
A Single Source of Truth for Your On-Premises, Hybrid, and Multi-Cloud Estate
Forward Networks’ mathematical model creates a complete and always current digital twin of your physical, virtual, and multi-cloud network estate, including config and state information for all network elements and your hybrid or multi-cloud environment. The digital twin provides a comprehensive view of all network behavior, with visibility into every possible path a packet can take. It brings mathematical certainty to network security validations by enabling security operations teams to:

VISUALIZE network layer 2 – 4 topology and all possible traffic paths within a single pane of glass including on-premises, Cloud (AWS, GCP, and Microsoft Azure), and virtualized environments. Then, drill down to specific devices and traffic flows, including configuration and state data. View the global network in a single view or drill down to a single device.

SEARCH the entire estate as simply as a database. Our browser-like search feature performs complete end-to-end path analyses across the network for both on-premises and cloud infrastructure. This also enables you to locate devices and access detailed information on their location, configuration, and state in milliseconds. 

VERIFY that the security policies are extended to the cloud using purpose-built (custom) intent checks. Continuously audit the network and receive actionable alerts for non-compliance with your security policies. Know that applications are compliant before provisioning them.

COMPARE network changes over time to understand their impact on the network and prevent incidents from reoccurring. The network collector frequently scans the network, taking and saving network configurations, topology, and device state snapshots. These “snapshots” become a searchable historical record of network behavior and compliance at any point in time. And the behavior diffs feature makes it easy to quickly find and compare snapshots to identify changes that may violate your security policy.
 
Explore All Aspects of Your Compute Environment With Forward Enterprise
See for yourself how the Forward Enterprise platform can help your network and security teams to monitor and verify all your clouds through a single pane of glass and explore any object in your cloud environment to ensure everything is working exactly as it should be. To see this feature and the power of a network digital twin in action, please request a demo.
Top cross